resource "google_service_account" "forgejo" {
  account_id   = "forgejo-vm"
  display_name = "Forgejo VM service account"
}

resource "google_secret_manager_secret_iam_member" "forgejo_secrets" {
  for_each  = toset(["forgejo-secret-key", "forgejo-internal-token"])
  project   = var.project_id
  secret_id = each.value
  role      = "roles/secretmanager.secretAccessor"
  member    = "serviceAccount:${google_service_account.forgejo.email}"
}

resource "google_storage_bucket_iam_member" "backups_writer" {
  bucket = google_storage_bucket.backups.name
  role   = "roles/storage.objectAdmin"
  member = "serviceAccount:${google_service_account.forgejo.email}"
}

resource "google_iap_tunnel_instance_iam_member" "ssh_admin" {
  project  = var.project_id
  zone     = var.zone
  instance = google_compute_instance.forgejo.name
  role     = "roles/iap.tunnelResourceAccessor"
  member   = "user:${var.admin_email}"
}

resource "google_project_iam_member" "ssh_os_login" {
  project = var.project_id
  role    = "roles/compute.osLogin"
  member  = "user:${var.admin_email}"
}